How to turn a phone into a covert bugging device? Infect the printer

Security researchers have designed a stealthy eavesdropping attack that sounds like it's straight out of a James Bond movie. It starts with a booby-trapped document that compromises an unpatched laser printer, which in turn converts a popular Internet phone into a covert bugging device.

The proof-of-concept attack exploits currently unpatched vulnerabilities in the Avaya one-X 9608, a popular model of phone that uses the Internet rather than a standard phone line to make and receive calls. Researcher Ang Cui, a Ph.D. candidate at Columbia University and chief scientist at Red Balloon Security, declined to provide many details on the vulnerabilities until users have had time to install a patch that Avaya is expected to release soon. He did say the weaknesses allow devices on the same local network to remotely execute code that causes the device to surreptitiously record all sounds within earshot and transmit them to a server controlled by attackers. He demonstrated a similar bugging vulnerability last year in competing Internet phones designed by Cisco Systems, which has since patched the underlying bugs.

Cui, who is scheduled to present his research Friday at the RSA security conference in San Francisco, said the attack underscores the growing susceptibility of phones, routers, and other embedded devices to the types of malware attacks that once threatened only computers. He and Salvatore Stolfo, who is a Columbia University professor of computer science and a Red Balloon director, have devised software dubbed Symbiote, which runs on Internet phones and other embedded devices and alerts users whenever changes are made to the firmware. Symbiote is part of a larger defense the pair has developed called AESOP, short for the Advanced Embedded Sec Ops.

The compromise begins with a booby-trapped document that when printed executes malicious code on certain models of HP LaserJet printers that have not been patched against a critical vulnerability. Once compromised, the printers connect to attack servers, creating a means for outside hackers to bypass corporate firewalls. The attackers then use the printers as a proxy to enumerate and connect to other devices in the corporate network.

Enlarge/ A diagram from 2013 showing a similar attack on Cisco phones. The new attack uses the same technique to hijack an Internet phone made by Avaya.

Red Balloon Security

Once an Avaya 9608 phone is discovered, the attackers can inject code into it that infects its firmware. The compromise, which survives reboots, activates the phone's microphone without turning on any lights or otherwise giving any indication that anything is amiss. The infected phones can be set up to record conversations only after attacker-chosen keywords are detected. Recorded conversations can be sent through a corporate network onto the open Internet, but the malware also has a secondary method for exfiltration that bypasses any devices that block suspicious network traffic. In the event that such devices are detected, the malware can turn a phone's circuit board into a radio transmitter that sends the recorded conversations to a receiver that's anywhere from several inches to 50 feet away, depending on environmental variables.

A sign of things to come

Further Reading

The big disadvantage to the attack being demonstrated Friday is its reliance on specific printer and phone vulnerabilities since it works against such a tiny fraction of devices. The larger point is that bugs in electronics firmware are notoriously easy to exploit, as a smallsampleofrecentstoriesshows. Even if a target isn't using the phones or printers featured in the demonstration, chances are good that the target is using some constellation of devices that are susceptible to remote hijacking. And besides, many organizations fail to apply firmware updates, so even if a patch has been released, there's a good chance that it will never get installed on many vulnerable devices.

For most of the past two decades, software exploiters have focused most of their talent on compromising computers, the vast majority of which ran Microsoft operating systems. Now that modern versions of Windows are becoming much harder to commandeer, hackers are turning their attention to newer devices. There's a dizzying array of defenses against attacks on computers. By contrast, there are relatively few options for preventing attacks that target routers, printers, and phones—but that's not likely to be the case for much longer.

Promoted Comments

Or replace infected printer with infected Smart TV, infected NEST thermostat, infected Smart Refigerator, etc. Unpatched "smart" devices will just make things like this easier and we all know that securing network enabled commodity items are pretty low on most people's priorities and pretty much non-existent on the manufacturer's priorities.

For what it's worth, I have an embedded development class this semester and the security aspect is basically inexistant. Granted, we're doing pretty trivial things, but most of the people who take this class have never done C before, and our boards can connect to the Internet. It does sound like a recipe for a disaster if these people keep doing embedded work and don't realize that C arrays aren't like Java arrays.

So how is a printer expected to bypass a firewall? If the firewall isn't exploited then there still has to be a path to the internet, and if the path goes through the firewall on blocked ports it can stop it. It must be using 80 or 443 because any other port would should be filtered or heavily restricted.

It is trivial for the exploit code on the printer to use port 80 for command and control using 100% valid http. It would be valid to ask "Why is the printer able to connect to the Internet at all? Printers should be on a separate network that is blocked at the firewall." But even that misses the point. An exploited printer can be used to exploit other devices behind the firewall. Now replace "printer" with "appliance that doesn't get patched and updated as often was a computer."